diff options
| -rw-r--r-- | .copr/Makefile | 4 | ||||
| -rw-r--r-- | .copr/prepare.sh | 17 | ||||
| -rw-r--r-- | Makefile | 16 | ||||
| -rw-r--r-- | contrib/build_rpm.sh | 8 | ||||
| -rw-r--r-- | contrib/spec/podman.spec.in | 40 | ||||
| -rw-r--r-- | install.md | 2 | ||||
| -rw-r--r-- | libpod/runtime.go | 18 | ||||
| -rw-r--r-- | libpod/volume_internal.go | 12 | ||||
| -rw-r--r-- | pkg/adapter/containers.go | 3 | ||||
| -rw-r--r-- | rootless.md | 2 | ||||
| -rw-r--r-- | troubleshooting.md | 15 |
11 files changed, 105 insertions, 32 deletions
diff --git a/.copr/Makefile b/.copr/Makefile index 71142920b..465a52b15 100644 --- a/.copr/Makefile +++ b/.copr/Makefile @@ -8,11 +8,11 @@ SHORT_COMMIT ?= $(shell git rev-parse --short=8 HEAD) srpm: mkdir -p $(topdir) sh $(current_dir)/prepare.sh - rpmbuild -bs -D "dist %{nil}" -D "_sourcedir build/" -D "_srcrpmdir $(outdir)" -D "_topdir $(topdir)" --nodeps contrib/spec/podman.spec + rpmbuild -bs -D "dist %{nil}" -D "_sourcedir build/" -D "_srcrpmdir $(outdir)" -D "_topdir $(topdir)" --nodeps ${extra_arg:-""} contrib/spec/podman.spec build_binary: mkdir -p $(topdir) - rpmbuild --rebuild -D "_rpmdir $(outdir)" -D "_topdir $(topdir)" $(outdir)/podman-*.git$(SHORT_COMMIT).src.rpm + rpmbuild --rebuild -D "_rpmdir $(outdir)" -D "_topdir $(topdir)" ${extra_arg:-""} $(outdir)/podman-*.git$(SHORT_COMMIT).src.rpm clean: rm -fr rpms diff --git a/.copr/prepare.sh b/.copr/prepare.sh index d8ad34d08..713cdc2ee 100644 --- a/.copr/prepare.sh +++ b/.copr/prepare.sh @@ -1,12 +1,14 @@ #!/bin/sh -euf -set -x +set -euxo pipefail OS_TEST=${OS_TEST:=0} if [ ! -e /usr/bin/git ]; then dnf -y install git-core fi -git fetch --unshallow || : +if [ -f $(git rev-parse --git-dir)/shallow ]; then + git fetch --unshallow +fi COMMIT=$(git rev-parse HEAD) COMMIT_SHORT=$(git rev-parse --short=8 HEAD) @@ -26,7 +28,12 @@ if [ ${OS_TEST} -eq 0 ]; then sed -i "s/${BR}/${NEWBR}/g" contrib/spec/podman.spec fi -mkdir build/ +mkdir -p build/ git archive --prefix "libpod-${COMMIT_SHORT}/" --format "tar.gz" HEAD -o "build/libpod-${COMMIT_SHORT}.tar.gz" -git clone https://github.com/containers/conmon -cd conmon && git checkout 6f3572558b97bc60dd8f8c7f0807748e6ce2c440 && git archive --prefix "conmon/" --format "tar.gz" HEAD -o "../build/conmon.tar.gz" +if [ ! -d conmon ]; then + git clone -n --quiet https://github.com/containers/conmon +fi +pushd conmon +git checkout 6f3572558b97bc60dd8f8c7f0807748e6ce2c440 +git archive --prefix "conmon/" --format "tar.gz" HEAD -o "../build/conmon.tar.gz" +popd @@ -318,7 +318,7 @@ $(MANPAGES): %: %.md .gopathok docdir: mkdir -p docs/build/man -docs: docdir $(MANPAGES) ## Generate documentation +docs: .install.md2man docdir $(MANPAGES) ## Generate documentation install-podman-remote-%-docs: podman-remote docs $(MANPAGES) rm -rf docs/build/remote @@ -532,19 +532,23 @@ vendor-in-container: .PHONY: \ .gopathok \ binaries \ + changelog \ clean \ - validate.completions \ default \ docs \ gofmt \ + golangci-lint \ help \ install \ - golangci-lint \ + install.libseccomp.sudo \ lint \ pause \ - uninstall \ shell \ - changelog \ + uninstall \ validate \ - install.libseccomp.sudo \ + validate.completions \ vendor + +rpm: + @echo "Building rpms ..." + ./contrib/build_rpm.sh diff --git a/contrib/build_rpm.sh b/contrib/build_rpm.sh index b2560fb1a..507c03591 100644 --- a/contrib/build_rpm.sh +++ b/contrib/build_rpm.sh @@ -22,7 +22,6 @@ declare -a PKGS=(device-mapper-devel \ glib2-devel \ glibc-static \ golang \ - golang-github-cpuguy83-go-md2man \ gpgme-devel \ libassuan-devel \ libseccomp-devel \ @@ -41,14 +40,19 @@ if [ $pkg_manager == "/usr/bin/dnf" ]; then PKGS+=(btrfs-progs-devel) fi +fi +# golang-github-cpuguy83-go-md2man is needed for building man pages +# It is not available by default in CentOS 8 making it optional +if [ -z "$extra_arg" ]; then + PKGS+=(golang-github-cpuguy83-go-md2man) fi echo ${PKGS[*]} $pkg_manager install -y ${PKGS[*]} make -f .copr/Makefile -rpmbuild --rebuild podman-*.src.rpm +rpmbuild --rebuild ${extra_arg:-""} podman-*.src.rpm # Test to make sure the install of the binary works $pkg_manager -y install ~/rpmbuild/RPMS/x86_64/podman-*.x86_64.rpm diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index f282642f3..4a3704811 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -1,9 +1,9 @@ %global with_devel 0 %global with_bundled 1 -%global with_debug 1 %global with_check 0 %global with_unit_test 0 -%global with_doc 1 +%bcond_without doc +%bcond_without debug %if 0%{?fedora} >= 28 %bcond_without varlink @@ -11,7 +11,7 @@ %bcond_with varlink %endif -%if 0%{?with_debug} +%if %{with debug} %global _find_debuginfo_dwz_opts %{nil} %global _dwz_low_mem_die_limit 0 %else @@ -61,7 +61,7 @@ BuildRequires: glib2-devel BuildRequires: glibc-devel BuildRequires: glibc-static BuildRequires: git -%if 0%{?with_doc} +%if %{with doc} BuildRequires: go-md2man %endif BuildRequires: gpgme-devel @@ -355,6 +355,15 @@ This package contains unit tests for project providing packages with %{import_path} prefix. %endif +%if %{with doc} +%package manpages +Summary: Man pages for the %{name} commands +BuildArch: noarch + +%description manpages +Man pages for the %{name} commands +%endif + %prep %autosetup -Sgit -n %{repo}-%{shortcommit0} @@ -363,7 +372,7 @@ tar zxf %{SOURCE1} sed -i 's/install.remote: podman-remote/install.remote:/' Makefile sed -i 's/install.bin: podman/install.bin:/' Makefile -%if 0%{?with_doc} +%if %{with doc} sed -i 's/install.man: docs/install.man:/' Makefile %endif @@ -379,7 +388,7 @@ export BUILDTAGS="varlink selinux seccomp $(hack/btrfs_installed_tag.sh) $(hack/ GOPATH=$GOPATH go generate ./cmd/podman/varlink/... -%if 0%{?with_doc} +%if %{with doc} BUILDTAGS=$BUILDTAGS make binaries docs %else BUILDTAGS=$BUILDTAGS make binaries @@ -400,6 +409,7 @@ popd %install install -dp %{buildroot}%{_unitdir} install -dp %{buildroot}%{_usr}/lib/systemd/user +%if %{with doc} PODMAN_VERSION=%{version} %{__make} PREFIX=%{buildroot}%{_prefix} ETCDIR=%{buildroot}%{_sysconfdir} \ install.bin \ install.remote \ @@ -407,6 +417,14 @@ PODMAN_VERSION=%{version} %{__make} PREFIX=%{buildroot}%{_prefix} ETCDIR=%{build install.cni \ install.systemd \ install.completions +%else +PODMAN_VERSION=%{version} %{__make} PREFIX=%{buildroot}%{_prefix} ETCDIR=%{buildroot}%{_sysconfdir} \ + install.bin \ + install.remote \ + install.cni \ + install.systemd \ + install.completions +%endif mv pkg/hooks/README.md pkg/hooks/README-hooks.md @@ -489,10 +507,6 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %license LICENSE %doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md %{_bindir}/%{name} -%if 0%{?with_doc} -%{_mandir}/man1/*.1* -%{_mandir}/man5/*.5* -%endif %{_datadir}/bash-completion/completions/* %{_datadir}/zsh/site-functions/* %{_libexecdir}/%{name}/conmon @@ -522,6 +536,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md %{_bindir}/%{name}-remote +%if %{with doc} +%files manpages +%{_mandir}/man1/*.1* +%{_mandir}/man5/*.5* +%endif + %changelog * Sat Aug 4 2018 Dan Walsh <dwalsh@redhat.com> - 0.8.1-1.git6b4ab2a - Bump to v0.8.1 diff --git a/install.md b/install.md index 39b639176..bd3732083 100644 --- a/install.md +++ b/install.md @@ -68,7 +68,7 @@ The latest builds are available in a PPA. Take note of the [Build and Run Depend ```bash sudo apt-get update -qq -sudo apt-get install -qq -y software-properties-common uidmap +sudo apt-get install -qq -y software-properties-common uidmap slirp4netns sudo add-apt-repository -y ppa:projectatomic/ppa sudo apt-get update -qq sudo apt-get -qq -y install podman diff --git a/libpod/runtime.go b/libpod/runtime.go index 42e6782e9..3873079ce 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -625,7 +625,8 @@ func (r *Runtime) refresh(alivePath string) error { } // Next refresh the state of all containers to recreate dirs and - // namespaces, and all the pods to recreate cgroups + // namespaces, and all the pods to recreate cgroups. + // Containers, pods, and volumes must also reacquire their locks. ctrs, err := r.state.AllContainers() if err != nil { return errors.Wrapf(err, "error retrieving all containers from state") @@ -634,10 +635,14 @@ func (r *Runtime) refresh(alivePath string) error { if err != nil { return errors.Wrapf(err, "error retrieving all pods from state") } - // No locks are taken during pod and container refresh. - // Furthermore, the pod and container refresh() functions are not + vols, err := r.state.AllVolumes() + if err != nil { + return errors.Wrapf(err, "error retrieving all volumes from state") + } + // No locks are taken during pod, volume, and container refresh. + // Furthermore, the pod/volume/container refresh() functions are not // allowed to take locks themselves. - // We cannot assume that any pod or container has a valid lock until + // We cannot assume that any pod/volume/container has a valid lock until // after this function has returned. // The runtime alive lock should suffice to provide mutual exclusion // until this has run. @@ -651,6 +656,11 @@ func (r *Runtime) refresh(alivePath string) error { logrus.Errorf("Error refreshing pod %s: %v", pod.ID(), err) } } + for _, vol := range vols { + if err := vol.refresh(); err != nil { + logrus.Errorf("Error refreshing volume %s: %v", vol.Name(), err) + } + } // Create a file indicating the runtime is alive and ready file, err := os.OpenFile(alivePath, os.O_RDONLY|os.O_CREATE, 0644) diff --git a/libpod/volume_internal.go b/libpod/volume_internal.go index 42b935e7c..e89b3484d 100644 --- a/libpod/volume_internal.go +++ b/libpod/volume_internal.go @@ -5,6 +5,7 @@ import ( "path/filepath" "github.com/containers/libpod/libpod/define" + "github.com/pkg/errors" ) // Creates a new volume @@ -46,3 +47,14 @@ func (v *Volume) update() error { func (v *Volume) save() error { return v.runtime.state.SaveVolume(v) } + +// Refresh volume state after a restart. +func (v *Volume) refresh() error { + lock, err := v.runtime.lockManager.AllocateAndRetrieveLock(v.config.LockID) + if err != nil { + return errors.Wrapf(err, "error acquiring lock %d for volume %s", v.config.LockID, v.Name()) + } + v.lock = lock + + return nil +} diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go index 2b838452c..0c73977c7 100644 --- a/pkg/adapter/containers.go +++ b/pkg/adapter/containers.go @@ -461,7 +461,8 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode if c.IsSet("rm") { if err := r.Runtime.RemoveContainer(ctx, ctr, false, true); err != nil { - if errors.Cause(err) == define.ErrNoSuchCtr { + if errors.Cause(err) == define.ErrNoSuchCtr || + errors.Cause(err) == define.ErrCtrRemoved { logrus.Warnf("Container %s does not exist: %v", ctr.ID(), err) } else { logrus.Errorf("Error removing container %s: %v", ctr.ID(), err) diff --git a/rootless.md b/rootless.md index 4fb3c7deb..69de6db21 100644 --- a/rootless.md +++ b/rootless.md @@ -42,3 +42,5 @@ can easily fail * Pause and Unpause (Works with cgroup V2 support) * Issues with higher UIDs can cause builds to fail * If a build is attempting to use a UID that is not mapped into the user namespace mapping for a container, then builds will not be able to put the UID in an image. +* Making device nodes within a container fails, even when running --privileged. + * Kernel does not allow non root user processes (processes without CAP_MKNOD) to create device nodes. If container needs to create device nodes, it must be run as root. diff --git a/troubleshooting.md b/troubleshooting.md index c4e577645..9def0e08b 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -413,7 +413,6 @@ You'll need to either: ### 17) rootless containers exit once the user session exits - You need to set lingering mode through loginctl to prevent user processes to be killed once the user session completed. @@ -429,3 +428,17 @@ You'll need to either: or as root if your user has not enough privileges. * sudo loginctl enable-linger $UID + +### 18) `podman run` fails with "bpf create: permission denied error" + +The Kernel Lockdown patches deny eBPF programs when Secure Boot is enabled in the BIOS. [Matthew Garrett's post](https://mjg59.dreamwidth.org/50577.html) desribes the relationship between Lockdown and Secure Boot and [Jan-Philip Gehrcke's](https://gehrcke.de/2019/09/running-an-ebpf-program-may-require-lifting-the-kernel-lockdown/) connects this with eBPF. [RH bug 1768125](https://bugzilla.redhat.com/show_bug.cgi?id=1768125) contains some additional details. + +#### Symptom + +Attempts to run podman result in + +```Error: bpf create : Operation not permitted: OCI runtime permission denied error``` + +#### Solution + +One workaround is to disable Secure Boot in your BIOS. |